Quality Assurance in Software Development ... · Quality Assurance in Software Development Qualit atssicherung in der Softwareentwicklung A.o.Univ.-Prof. Dipl.-Ing. Dr. Bernhard Aichernig

tugraz

TU Graz

Quality Assurance in Software DevelopmentQualitatssicherung in der Softwareentwicklung

A.o.Univ.-Prof. Dipl.-Ing. Dr. Bernhard Aichernig

Institut fur Softwaretechnologie (IST)TU Graz

Summer Term 2019

B. Aichernig Quality Assurance in Software Development

1 / 45

tugraz

TU Graz

Agenda

1 Symbolic Execution

2 Concolic Execution


2 / 45

tugraz

TU Graz

Literature: Symbolic Execution

I James C. King. Symbolic Execution and Program Testing,Communications of the ACM, Volume 19, Issue 7. July 1976,Pages 385–394.


3 / 45

tugraz

TU Graz

Symbolic Execution

I Instead of normal program inputs

I one supplies symbols representing arbitrary values.

I Execution proceeds like normal execution,

I except that values may be symbolic formulas over the input values.

I Interesting: symbolic execution of branching statements (e.g.if-statements)

I A technique between testing and formal proofs.I Testing: execution with some concrete input valuesI Proofs: no execution


4 / 45

tugraz

TU Graz

Bsp. Sum

1 i n t sum ( i n t a , i n t b , i n t c )2 {3 i n t x , y , z ;4 x = a + b ;5 y = b + c ;6 z = x + y − b ;7 r e tu rn z ;8 }


5 / 45

tugraz

TU Graz

Bsp. Sum

1 i n t sum ( i n t a , i n t b , i n t c ) ← a = αa, b = αb, c = αc2 {3 i n t x , y , z ;4 x = a + b ;5 y = b + c ;6 z = x + y − b ;7 r e tu rn z ;8 }


6 / 45

tugraz

TU Graz

Bsp. Sum

1 i n t sum ( i n t a , i n t b , i n t c ) ← a = αa, b = αb, c = αc2 {3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ;5 y = b + c ;6 z = x + y − b ;7 r e tu rn z ;8 }


7 / 45

tugraz

TU Graz

Bsp. Sum

1 i n t sum ( i n t a , i n t b , i n t c ) ← a = αa, b = αb, c = αc2 {3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ; ← x = αa + αb, y = 0, z = 05 y = b + c ;6 z = x + y − b ;7 r e tu rn z ;8 }


8 / 45

tugraz

TU Graz

Bsp. Sum

1 i n t sum ( i n t a , i n t b , i n t c ) ← a = αa, b = αb, c = αc2 {3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ; ← x = αa + αb, y = 0, z = 05 y = b + c ; ← x = αa + αb, y = αb + αc , z = 06 z = x + y − b ;7 r e tu rn z ;8 }


9 / 45

tugraz

TU Graz

Bsp. Sum

1 i n t sum ( i n t a , i n t b , i n t c ) ← a = αa, b = αb, c = αc2 {3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ; ← x = αa + αb, y = 0, z = 05 y = b + c ; ← x = αa + αb, y = αb + αc , z = 06 z = x + y − b ;← x = αa + αb, y = αb + αc , z = αa + αb + αc7 r e tu rn z ;8 }


10 / 45

tugraz

TU Graz

Bsp. Sum

1 i n t sum ( i n t a , i n t b , i n t c ) ← a = αa, b = αb, c = αc2 {3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ; ← x = αa + αb, y = 0, z = 05 y = b + c ; ← x = αa + αb, y = αb + αc , z = 06 z = x + y − b ;← x = αa + αb, y = αb + αc , z = αa + αb + αc7 r e tu rn z ; return αa + αb + αc8 }

The symbolic computation shows (proves) that the method sum returnsthe sum of its three input values.


11 / 45

tugraz

TU Graz

Bsp. Min

1 i n t min ( i n t x , i n t y )2 {3 i n t z ;4 i f ( x<y )5 z=x ;6 e l s e7 z=y ;8 r e tu rn z ;9 }


12 / 45

tugraz

TU Graz

Path Condition

I Symbolic execution of if-statement requires path condition (pc).

I pc is a Boolean expression over symbolic inputs.

I pc never contains program variables!

I pc is a conjunction of branching conditions.


13 / 45

tugraz

TU Graz

Bsp. Min

1 i n t min ( i n t x , i n t y ) ← x = αx , y = αy , pc = true2 {3 i n t z ;4 i f ( x<y )5 z=x ;6 e l s e7 z=y ;8 r e tu rn z ;9 }


14 / 45

tugraz

TU Graz

Bsp. Min

1 i n t min ( i n t x , i n t y ) ← x = αx , y = αy , pc = true2 {3 i n t z ; ← x = αx , y = αy , z = 0, pc = true4 i f ( x<y )5 z=x ;6 e l s e7 z=y ;8 r e tu rn z ;9 }


15 / 45

tugraz

TU Graz

Bsp. Min

1 i n t min ( i n t x , i n t y ) ← x = αx , y = αy , pc = true2 {3 i n t z ; ← x = αx , y = αy , z = 0, pc = true4 i f ( x<y ) ← Case 1: x = αx , y = αy , z = 0, pc = αx < αy5 z=x ;6 e l s e7 z=y ;8 r e tu rn z ;9 }


16 / 45

tugraz

TU Graz

Bsp. Min

1 i n t min ( i n t x , i n t y ) ← x = αx , y = αy , pc = true2 {3 i n t z ; ← x = αx , y = αy , z = 0, pc = true4 i f ( x<y ) ← Case 1: x = αx , y = αy , z = 0, pc = αx < αy5 z=x ; ← x = αx , y = αy , z = αx , pc = αx < αy6 e l s e7 z=y ;8 r e tu rn z ;9 }


17 / 45

tugraz

TU Graz

Bsp. Min

1 i n t min ( i n t x , i n t y ) ← x = αx , y = αy , pc = true2 {3 i n t z ; ← x = αx , y = αy , z = 0, pc = true4 i f ( x<y ) ← Case 1: x = αx , y = αy , z = 0, pc = αx < αy5 z=x ; ← x = αx , y = αy , z = αx , pc = αx < αy6 e l s e ← Case 2: x = αx , y = αy , z = 0, pc = ¬αx < αy7 z=y ;8 r e tu rn z ;9 }


18 / 45

tugraz

TU Graz

Bsp. Min

1 i n t min ( i n t x , i n t y ) ← x = αx , y = αy , pc = true2 {3 i n t z ; ← x = αx , y = αy , z = 0, pc = true4 i f ( x<y ) ← Case 1: x = αx , y = αy , z = 0, pc = αx < αy5 z=x ; ← x = αx , y = αy , z = αx , pc = αx < αy6 e l s e ← Case 2: x = αx , y = αy , z = 0, pc = ¬αx < αy7 z=y ; ← x = αx , y = αy , z = αy , pc = ¬αx < αy8 r e tu rn z ;9 }


19 / 45

tugraz

TU Graz

Bsp. Min

1 i n t min ( i n t x , i n t y ) ← x = αx , y = αy , pc = true2 {3 i n t z ; ← x = αx , y = αy , z = 0, pc = true4 i f ( x<y ) ← Case 1: x = αx , y = αy , z = 0, pc = αx < αy5 z=x ; ← x = αx , y = αy , z = αx , pc = αx < αy6 e l s e ← Case 2: x = αx , y = αy , z = 0, pc = ¬αx < αy7 z=y ; ← x = αx , y = αy , z = αy , pc = ¬αx < αy8 r e tu rn z ;← return(z = αx ∧ αx < αy ) ∨ (z = αy ∧ ¬αx < αy )9 }


20 / 45

tugraz

TU Graz

Bsp. Min(a,b,c)

1 i n t min ( i n t a , i n t b , i n t c )2 {3 r e tu rn4 min (5 min ( a , b ) ,6 c7 ) ;8 }


21 / 45

tugraz

TU Graz

Bsp. Min(a,b,c)

1 i n t min ( i n t a , i n t b , i n t c )2 { ← a = αa, b = αb, c = αc , pc = true3 r e tu rn4 min (5 min ( a , b ) ,6 c7 ) ;8 }


22 / 45

tugraz

TU Graz

Bsp. Min(a,b,c)

1 i n t min ( i n t a , i n t b , i n t c )2 { ← a = αa, b = αb, c = αc , pc = true3 r e tu rn4 min (5 min ( a , b ) ,← (= αa ∧ pc = αa < αb) ∨ (= αb ∧ pc = αa ≥ αb)6 c7 ) ;8 }


23 / 45

tugraz

TU Graz

Bsp. Min(a,b,c)

1 i n t min ( i n t a , i n t b , i n t c )2 { ← a = αa, b = αb, c = αc , pc = true3 r e tu rn4 min (5 min ( a , b ) ,← (= αa ∧ pc = αa < αb) ∨ (= αb ∧ pc = αa ≥ αb)6 c ← c = αc7 ) ;8 }


24 / 45

tugraz

TU Graz

Bsp. Min(a,b,c)

1 i n t min ( i n t a , i n t b , i n t c )2 { ← a = αa, b = αb, c = αc , pc = true3 r e tu rn4 min (5 min ( a , b ) ,← (= αa ∧ αa < αb) ∨ (= αb ∧ αa ≥ αb)6 c ← c = αc7 ) ; ← (= αa ∧ pc = αa < αb ∧ αa < αc)8 }


25 / 45

tugraz

TU Graz

Bsp. Min(a,b,c)

1 i n t min ( i n t a , i n t b , i n t c )2 { ← a = αa, b = αb, c = αc , pc = true3 r e tu rn4 min (5 min ( a , b ) ,← (= αa ∧ αa < αb) ∨ (= αb ∧ αa ≥ αb)6 c ← c = αc7 ) ; ← (= αa ∧ pc = αa < αb ∧ αa < αc) ∨8 } (= αb ∧ pc = αa ≥ αb ∧ αb < αc)


26 / 45

tugraz

TU Graz

Bsp. Min(a,b,c)

1 i n t min ( i n t a , i n t b , i n t c )2 { ← a = αa, b = αb, c = αc , pc = true3 r e tu rn4 min (5 min ( a , b ) ,← (= αa ∧ αa < αb) ∨ (= αb ∧ αa ≥ αb)6 c ← c = αc7 ) ; ← (= αa ∧ pc = αa < αb ∧ αa < αc) ∨8 } (= αb ∧ pc = αa ≥ αb ∧ αb < αc) ∨9 (= αc ∧ pc = αa < αb ∧ αa ≥ αc)


27 / 45

tugraz

TU Graz

Bsp. Min(a,b,c)

1 i n t min ( i n t a , i n t b , i n t c )2 { ← a = αa, b = αb, c = αc , pc = true3 r e tu rn4 min (5 min ( a , b ) ,← (= αa ∧ αa < αb) ∨ (= αb ∧ αa ≥ αb)6 c ← c = αc7 ) ; ← (= αa ∧ pc = αa < αb ∧ αa < αc) ∨8 } (= αb ∧ pc = αa ≥ αb ∧ αb < αc) ∨9 (= αc ∧ pc = αa < αb ∧ αa ≥ αc) ∨

10 (= αc ∧ pc = αa ≥ αb ∧ αb ≥ αc)


28 / 45

tugraz

TU Graz

Symbolic Execution TreeSymbolic execution forcs at each if-statement:

αa < αb

αa < αc

min = αa

T

min = αc

F

T

αb < αc

min = αb

T

min = αc

F

F


29 / 45

tugraz

TU Graz

From Path Conditions to Concrete Test Cases

I Calculation: pc2 = true ∧ αa < αb ∧ ¬(αa < αc)

I Path condition represents equivalence class for all concrete valuestaking a path.

I Concrete test cases: find concrete values satisfying pcI e.g. for pc2: a = 0, b = 1, c = 0

I Result: path coverage


30 / 45

tugraz

TU Graz

Limitations

I infinite number of paths (loops)

I infeasible paths (pc = false)

I limitations of solvers and theorem provers

I all code must be accessible (white-box)

I only for single-threaded programs


31 / 45

tugraz

TU Graz

Symbolic Execution Tools

I Klee: for C (LLVM), http://klee.github.io/

I Symbolic PathFinder for Java (bytecode): http://babelfish.

arc.nasa.gov/trac/jpf/wiki/projects/jpf-symbc


32 / 45

http://klee.github.io/

http://babelfish.arc.nasa.gov/trac/jpf/wiki/projects/jpf-symbc

http://babelfish.arc.nasa.gov/trac/jpf/wiki/projects/jpf-symbc

tugraz

TU Graz

Concolic Execution

I Concolic = Concrete + Symbolic

I also called Dynamic Symbolic Execution (Microsoft)

I Concrete and Symbolic Execution in parallel

I Due to concrete execution:I No infeasable paths!I Integration of black-box components possible.


33 / 45

tugraz

TU Graz

Concolic Execution Loop

Algorithm

1 Covered := {} covered set of inputs

2 select new input i 6∈ Covered stop if no one found

3 execute Program(i) and record path condition C C(i) holds

4 Covered := Covered ∪ {i |C (i)}5 goto 2

I New input i 6∈ Covered after n iterations:solve ¬Ci1 ∧ · · · ∧ ¬Cin

I Stop when ¬Ci1 ∧ · · · ∧ ¬Cin = false


34 / 45

tugraz

TU Graz

Bsp. Sum

1 i n t sum ( i n t a , i n t b , i n t c )2 {3 i n t x , y , z ;4 x = a + b ;5 y = b + c ;6 z = x + y − b ;7 r e tu rn z ;8 }


35 / 45

tugraz

TU Graz

Bsp. Sum

1 i n t sum ( i n t a , i n t b , i n t c )2 { ← a = (αa, 1), b = (αb, 2), c = (αc , 3)3 i n t x , y , z ;4 x = a + b ;5 y = b + c ;6 z = x + y − b ;7 r e tu rn z ;8 }


36 / 45

tugraz

TU Graz

Bsp. Sum

1 i n t sum ( i n t a , i n t b , i n t c )2 { ← a = (αa, 1), b = (αb, 2), c = (αc , 3)3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ;5 y = b + c ;6 z = x + y − b ;7 r e tu rn z ;8 }


37 / 45

tugraz

TU Graz

Bsp. Sum

1 i n t sum ( i n t a , i n t b , i n t c )2 { ← a = (αa, 1), b = (αb, 2), c = (αc , 3)3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ; ← x = (αa + αb, 3), y = (0, 0), z = (0, 0)5 y = b + c ;6 z = x + y − b ;7 r e tu rn z ;8 }


38 / 45

tugraz

TU Graz

Bsp. Sum

1 i n t sum ( i n t a , i n t b , i n t c )2 { ← a = (αa, 1), b = (αb, 2), c = (αc , 3)3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ; ← x = (αa + αb, 3), y = (0, 0), z = (0, 0)5 y = b + c ; ← x = (αa + αb, 3), y = (αb + αc , 5), z = (0, 0)6 z = x + y − b ;7 r e tu rn z ;8 }


39 / 45

tugraz

TU Graz

Bsp. Sum

1 i n t sum ( i n t a , i n t b , i n t c )2 { ← a = (αa, 1), b = (αb, 2), c = (αc , 3)3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ; ← x = (αa + αb, 3), y = (0, 0), z = (0, 0)5 y = b + c ; ← x = (αa + αb, 3), y = (αb + αc , 5), z = (0, 0)6 z = x + y − b ;← x = (αa + αb, 3), y = (αb + αc , 5),7 z = (αa + αb + αc , 6)8 r e tu rn z ;9 }


40 / 45

tugraz

TU Graz

Bsp. Sum

1 i n t sum ( i n t a , i n t b , i n t c )2 { ← a = (αa, 1), b = (αb, 2), c = (αc , 3)3 i n t x , y , z ; ← x = 0, y = 0, z = 04 x = a + b ; ← x = (αa + αb, 3), y = (0, 0), z = (0, 0)5 y = b + c ; ← x = (αa + αb, 3), y = (αb + αc , 5), z = (0, 0)6 z = x + y − b ;← x = (αa + αb, 3), y = (αb + αc , 5),7 z = (αa + αb + αc , 6)8 r e tu rn z ; ← return(αa + αb + αc , 6)9 }


41 / 45

tugraz

TU Graz

Bsp. Min: Iteration 1

1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 0), pc1 = true2 {3 i n t z ;

← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = true

4 i f ( x<y )

¬(0 < 0)

5 z=x ;6 e l s e

← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = ¬(αx < αy )

7 z=y ;

← x = (αx , 0), y = (αy , 0), z = (αy , 0), pc1 = ¬(αx <αy )

8 r e tu rn z ;

← return z = (αy , 0), pc1 = ¬(αx < αy )

9 }

Find new input values such that ¬C = ¬pc1 = αx < αy holds andexecute again, e.g. min(0, 1)


42 / 45

tugraz

TU Graz


1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 0), pc1 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = true4 i f ( x<y )

¬(0 < 0)

5 z=x ;6 e l s e

← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = ¬(αx < αy )

7 z=y ;


8 r e tu rn z ;


9 }



42 / 45

tugraz

TU Graz


1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 0), pc1 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = true4 i f ( x<y ) ¬(0 < 0)5 z=x ;6 e l s e

← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = ¬(αx < αy )

7 z=y ;


8 r e tu rn z ;


9 }



42 / 45

tugraz

TU Graz


1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 0), pc1 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = true4 i f ( x<y ) ¬(0 < 0)5 z=x ;6 e l s e ← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = ¬(αx < αy )7 z=y ;


8 r e tu rn z ;


9 }



42 / 45

tugraz

TU Graz


1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 0), pc1 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = true4 i f ( x<y ) ¬(0 < 0)5 z=x ;6 e l s e ← x = (αx , 0), y = (αy , 0), z = (0, 0), pc1 = ¬(αx < αy )7 z=y ; ← x = (αx , 0), y = (αy , 0), z = (αy , 0), pc1 = ¬(αx <

αy )8 r e tu rn z ;


9 }



42 / 45

tugraz

TU Graz



αy )8 r e tu rn z ;← return z = (αy , 0), pc1 = ¬(αx < αy )9 }



42 / 45

tugraz

TU Graz



αy )8 r e tu rn z ;← return z = (αy , 0), pc1 = ¬(αx < αy )9 }



42 / 45

tugraz

TU Graz


1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 1), pc2 = true2 {3 i n t z ;

← x = (αx , 0), y = (αy , 1), z = (0, 0), pc2 = true

4 i f ( x<y )

(0 < 1): ⇒ pc2 = αx < αy

5 z=x ;

← x = (αx , 0), y = (αy , 1), z = (αx , 0), pc2 = αx < αy

6 e l s e7 z=y ;8 r e tu rn z ;

← return z = (αx , 0), pc2 = αx < αy

9 }

Finding new input values such that ¬C = ¬pc1 ∧ ¬pc2 = false is notpossible, hence terminate.


43 / 45

tugraz

TU Graz


1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 1), pc2 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 1), z = (0, 0), pc2 = true4 i f ( x<y )

(0 < 1): ⇒ pc2 = αx < αy

5 z=x ;




9 }



43 / 45

tugraz

TU Graz


1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 1), pc2 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 1), z = (0, 0), pc2 = true4 i f ( x<y ) (0 < 1):

⇒ pc2 = αx < αy

5 z=x ;




9 }



43 / 45

tugraz

TU Graz


1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 1), pc2 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 1), z = (0, 0), pc2 = true4 i f ( x<y ) (0 < 1): ⇒ pc2 = αx < αy5 z=x ;




9 }



43 / 45

tugraz

TU Graz


1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 1), pc2 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 1), z = (0, 0), pc2 = true4 i f ( x<y ) (0 < 1): ⇒ pc2 = αx < αy5 z=x ; ← x = (αx , 0), y = (αy , 1), z = (αx , 0), pc2 = αx < αy6 e l s e7 z=y ;8 r e tu rn z ;


9 }



43 / 45

tugraz

TU Graz


1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 1), pc2 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 1), z = (0, 0), pc2 = true4 i f ( x<y ) (0 < 1): ⇒ pc2 = αx < αy5 z=x ; ← x = (αx , 0), y = (αy , 1), z = (αx , 0), pc2 = αx < αy6 e l s e7 z=y ;8 r e tu rn z ;← return z = (αx , 0), pc2 = αx < αy9 }



43 / 45

tugraz

TU Graz


1 i n t min ( i n t x , i n t y ) ← x = (αx , 0), y = (αy , 1), pc2 = true2 {3 i n t z ; ← x = (αx , 0), y = (αy , 1), z = (0, 0), pc2 = true4 i f ( x<y ) (0 < 1): ⇒ pc2 = αx < αy5 z=x ; ← x = (αx , 0), y = (αy , 1), z = (αx , 0), pc2 = αx < αy6 e l s e7 z=y ;8 r e tu rn z ;← return z = (αx , 0), pc2 = αx < αy9 }



43 / 45

tugraz

TU Graz

Limitations

I infinite number of paths: upper bounds

I limitations of solvers and theorem provers

I for single-threaded programs


44 / 45

tugraz

TU Graz

Concolic Execution Tools

I jCute: for Java,http://osl.cs.illinois.edu/software/jcute/

I IntelliTest (Pex): for C#, see exercise

I PathCrawler: for C programs, http://pathcrawler-online.com


45 / 45

http://osl.cs.illinois.edu/software/jcute/

http://pathcrawler-online.com

Documents

Quality Assurance in Software Development ... · Quality Assurance in Software Development Qualit atssicherung in der Softwareentwicklung A.o.Univ.-Prof. Dipl.-Ing. Dr. Bernhard Aichernig